Sample environment configuration with OpenAM

Now that you know what we will try to achieve in this tutorial let's try to configure our test environment.

Prerequisites

Web containers
Our test environment will consists of 2 instances of OpenAM, each protecting one web application. The first instance will act as an Identity Provider (IdP) and the second as a Service Provider (SP). This gives us 4 web containers (I used Tomcats 6.x) that I've installed on a single machine using different ports :

OpenAM default configuration
In this tutorial I assume you already have all those tomcats prepared. This means you have some sample applications deployed that represent ProviderDashboard and IssueReporter web applications. Those webapps should also be protected by OpenAM agents communicating with appropriate OpenAM instance. However, at this stage there is no SSO or identity federation configured for those instances (that is what we need to do).

If you don't know how to deploy OpenAM please reffer to the following guide: How to deploy OpenAM.For now, as ProviderDashboard and IssueReporter you can use any Hello World wabapp. When configuring OpenAM agents please create a realm called "test", as this is what we'll be using in this tutorial.

In your OpenAM instances you should also have registered users, that we use in our use case. This means in IdP OpenAm you should have a user "12345" and in SP there should be a user "filip".

Hosts
My hosts file has 4 different host names set all pointing to 127.0.0.1, so I can access all of the tomcats using different hosts names. The following table summarizes urls I use in this tutorial:

App Url

Openam Url

Description

http://www.dashboard.idp.com:8010/providerdashboard

http://www.idp.com:8080/openam

ProviderDashboard application and OpenAM instance protecting it

http://www.reporter.sp.com:8020/issuereporter

http://www.sp.com:8090/openam

IssueReporter application and OpenAM instance protecting it

If you are using Windows you can configure those hosts by adding the following line to the fileC:\Windows\System32\drivers\etc\hosts

Realm
Select the 'test' realm. Each IdP is directly related to a Realm.

Name – unique name of your IdP
You can use OpenAM instance url as the name assuming you will only have 1 IdP per instance. If you want to have more IdPs per OpenAM instance use realm names

Signing key
If you want to digitally sign all your SAML messages select a signing key. OpenAM offers a test key to be used for testing purposes. For production needs you’ll have to generate a new one.

Circle of trust
Provide name for your circle of trust. All SAML providers that want to communicate with each other need to belong to the same circle of trust.

Attribute mapping
If IdP and SP identity stores have different schema but store the same kind of information you can define an explicit mapping between them. E.g. Email address can be stored in IdP as ‘email’ and in SP as ‘mailAddress’. OpenAM suggest you attributes available for your IdP.

Click ‘Configure’ button

On the confirmation screen click ‘Finish’

Remote Identity Provider

Next, we will register IdP created in previous step as a remote IdP in IssueReporter OpenAM:

Url of metadata
If another instance of OpenAM is used as SP then the url pointing to the service metadata has following format: http://<sp-openam-url>/saml2/jsp/exportmetadata.jsp
In our case it is: http://www.sp.com:8090/openam/saml2/jsp/exportmetadata.jsp

Circle of trustSelect the same as used for IdP

Attribute mappingIf required use the same mappings as in IdP

Click ‘Configure’ button

General configuration

You can always edit providers defined in previous steps. To do that:

Navigate to either SP or IdP OpenAM and login as admin to OpenAM web console

Click on ‘Federation’ tab

You should see the screen listing all defined circles of trust and all entities (IdPs and SPs). Sample sreen for IdP OpenAM instance:

Click on the entity you’d like to update e.g. hosted IdP

You will be redirected to the screen where you can update default and advanced entity configuration

Environment setup validation

At this stage our test environment should be ready to perform SAML Identity Federation and Single Sign On between our sample ProviderDashboard and IssueReporter applications. In order to validate the setup perform following steps:

You can select IdP and SP that you'd like to perform the test for and click 'Start Test' button

A warning will be displayed that the user will be logged out - click 'OK'

Now the actual test begins. It consists of following steps:

Authentication for Identity Provider, http://www.idp.com:8080/openam

Authentication for Service Provider. http://www.sp.com:8090/openam

Testing for the ability to link account

Testing for single logout

Testing Single Sign On.

Testing for account termination

You will be guided through the entire test. While testing account linking you will be asked to provide credentials for the Idp (12345/password) and then for the SP (filip/password). Next it will perform SSO test which requires authentication with Idp credentials once again. At the end of the test you should see a success message.

If everything worked fine you should be able to start using SAML functionality exposed by OpenAM in your applications. Please note that although your test environment is correctly configured the sample web applications are not making use of SAML features yet.

In the next chapter I will show how to make use of SAML features exposed by OpenAM in your web applications.

Thanks Filip. I am new to OpenAM, I am trying to setup SSO between 2 Java web apps. I am able to link SP and IdP by following your tutorial. I am kind of lost on how to setup my apps with OpenAM. If you could point to a sample that you are aware of, that will be great.

Thanks Filip. I am able to get the SSO working between 2 web apps. Thanks for your help.

My requirement is to have SSO as well as federated identity management. I have to provide SSO between multiple applications and should be able to talk to multiple identity providers (one for each customer). My application will have an identity provider configured for each customer, whenever a user submits the credentials I have to send it to appropriate IdP. Is this something I can achieve using OpenAM?

I am able to single sign on using the steps mentioned. Now I have a requirement where the sp authentication should isn't required while linking the account. Please provide some idea how to configure this scenario.

Good example, however, I was also getting the "unable to link accounts" and finally found out the reason.

Unlike the example, I did not have .idp.com and .sp.com. I had idp.xyz.com, sp.xyz.com: Shared domain.

I was also using the same installer package for OpenAM in both locations.

The solution here is that for this example, if the IdP and the SP are in the same domain, the Cookie name must be different for both instances of OpenAM.

Configuration->ServersAndSites->Default Server Settings->Security->Cookie : rename the cookie from iPlanetDirectoryPro (or whatever you have) to something unique. OpenAM must then be restarted to accept the cookie change.

After doing this, my test was able to proceed, as both IdP and SP can accept concurrent login sessions from the same browser without clobbering one another.

I am unable to link the accounts even after following all the above mentioned steps.even i checked the cookie and domains also even then it is not linking the accounts.The one thing i missed is the attribute mapping when creating the entities.Is that the reason for not linking accounts?if not please provide me a solution for this..Thank u